Malware analysis RV_ ACCIÓN DE TUTELA N° 50.001.40.88.002.2024.00002 00.eml Malicious activity

Add for printing

File name:	RV_ ACCIÓN DE TUTELA N° 50.001.40.88.002.2024.00002 00.eml
Full analysis:	https://app.any.run/tasks/18ead89d-1f75-4562-8406-0618204ef334
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	July 25, 2024, 14:54:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rat remcos remote evasion keylogger
Indicators:
MIME:	message/rfc822
File info:	RFC 822 mail, ASCII text, with very long lines (857), with CRLF line terminators
MD5:	603D7CE480F561146FC46FA513323845
SHA1:	3FC52CC87BAC9E2575361CD9C8609EAA3BD98BBE
SHA256:	108B6135A5385A2DA973147C3796502738B155908E18F908ADAB8C3CC70C7514
SSDEEP:	49152:/DZZhz0G4EZYYvJpIb07ATxGjqL5c6WwxSqp3y6DWOYP5xjnA/PMgJW:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Antivirus name has been found in the command line (generic signature)
  - MpCmdRun.exe (PID: 7340)
- Changes the autorun value in the registry
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- REMCOS has been detected
  - AppLaunch.exe (PID: 8184)
  - AppLaunch.exe (PID: 8184)
  - AppLaunch.exe (PID: 8184)
  - AppLaunch.exe (PID: 7856)
- Drops the executable file immediately after the start
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- REMCOS has been detected (SURICATA)
  - AppLaunch.exe (PID: 8184)
- REMCOS has been detected (YARA)
  - AppLaunch.exe (PID: 8184)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 7708)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - AppLaunch.exe (PID: 8184)
- Reads the date of Windows installation
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- Starts CMD.EXE for commands execution
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - WinRAR.exe (PID: 7708)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- Executing commands from a ".bat" file
  - WinRAR.exe (PID: 7708)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 6468)
  - cmd.exe (PID: 7876)
  - cmd.exe (PID: 7552)
  - cmd.exe (PID: 7508)
- Executable content was dropped or overwritten
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- Connects to unusual port
  - AppLaunch.exe (PID: 8184)
- Contacting a server suspected of hosting an CnC
  - AppLaunch.exe (PID: 8184)
- Checks for external IP
  - AppLaunch.exe (PID: 8184)
- Writes files like Keylogger logs
  - AppLaunch.exe (PID: 8184)
- There is functionality for taking screenshot (YARA)
  - AppLaunch.exe (PID: 8184)
INFO
- Application launched itself
  - msedge.exe (PID: 4520)
- Checks supported languages
  - TextInputHost.exe (PID: 4156)
  - identity_helper.exe (PID: 8060)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - MpCmdRun.exe (PID: 7340)
  - AppLaunch.exe (PID: 8184)
  - AppLaunch.exe (PID: 7856)
- Reads the computer name
  - TextInputHost.exe (PID: 4156)
  - identity_helper.exe (PID: 8060)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - MpCmdRun.exe (PID: 7340)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - AppLaunch.exe (PID: 8184)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 4520)
- Reads Environment values
  - identity_helper.exe (PID: 8060)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - AppLaunch.exe (PID: 8184)
- The process uses the downloaded file
  - msedge.exe (PID: 8064)
  - msedge.exe (PID: 4520)
  - WinRAR.exe (PID: 7708)
- Checks proxy server information
  - slui.exe (PID: 8128)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - AppLaunch.exe (PID: 8184)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 7708)
- Process checks computer location settings
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7708)
- Reads the machine GUID from the registry
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - AppLaunch.exe (PID: 8184)
- Disables trace logs
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- Reads the software policy settings
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 4752)
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
- Create files in a temporary directory
  - MpCmdRun.exe (PID: 7340)
- Creates files or folders in the user directory
  - DocxTutelaRad50 001 40 88 002 2024 00002 00.exe (PID: 7300)
  - AppLaunch.exe (PID: 8184)
- Creates files in the program directory
  - AppLaunch.exe (PID: 8184)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 6468)
- Manual execution by a user
  - Taskmgr.exe (PID: 6336)
  - Taskmgr.exe (PID: 6468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Remcos

(PID) Process(8184) AppLaunch.exe

C2 (1)julio25.con-ip.com:7773

BotnetDESAFIO

Options

Connect_interval1

Install_flagFalse

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-589ERS

Keylog_flag1

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path%ProgramFiles%

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

No Malware configuration.

Add for printing

TRiD

.eml	\|	E-Mail message (Var. 5) (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

229

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1048

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1096

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1388

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2508 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1392

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2548 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1408

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6908 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2068

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1488 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2088

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1656 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2248

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5188 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2256

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "0DB1299C-301F-484D-8C47-8E3078B66031" "18BC0882-8B01-4EA1-875F-1403C23A4D43" "5904"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

2300

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=7860 --field-trial-handle=2384,i,10987745157227370083,4354000832657949886,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

45 436

Read events

44 966

Write events

392

Delete events

Modification events


(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01941A000000001000B24E9A3E05000000000000000500000000000000
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\5904
Operation:	write	Name:	0
Value: 0B0E10832FE45B607FE945A2DA8E863136E1D2230046E7A6D8EDA8D4B7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511902ED2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootCommand
Value:
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootFailureCount
Value:
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	CantBootResolution
Value: BootSuccess
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	ProfileBeingOpened
Value: Outlook
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	SessionId
Value: 90DAD708-B605-4845-A6C4-89376D82CD0B
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	BootDiagnosticsLogFile
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20230209T1802460432-6544.etl
(PID) Process:	(5904) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	ProfileBeingOpened
Value:

Add for printing

Executable files

Suspicious files

479

Text files

184

Unknown types

Dropped files

PID	Process	Filename		Type
5904	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres		binary
		MD5:4A64CB5A15F074E25E60A9215FCC38DD	SHA256:A38B0EB31FB02B0909C05ABA5EA087CE7B0ACEFF8C570E2777B94EE5F41B82BC
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Temp\olk364F.tmp		binary
		MD5:5CEDDC70B4EEE64C63AE580F1C495CD2	SHA256:308A80C84084C7E2DB87800CF43270CCCD99AB4B8D8F506ED5C7DBE7FE3B9877
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D016201.dat		image
		MD5:E16CDC46779AFAB0E6B6B8C6B4D22646	SHA256:63F43450D7FD3A4099803D44743EEE444BEFC47908FE7173BBD8329989901EE1
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4D2C3F74.dat		image
		MD5:9CB1E727F36A1725FE60423E106EC1B5	SHA256:F55F8AC98B5FD5FE939A23B872C2F9F7295A4ABD434074DBF014B0563D49A52D
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:9B70EE6AD501322F7FC2D002198CF422	SHA256:47B93863B43BEBDD2190C4A1D776DC439334A2FB6C38512DB29679CC98DB8CF2
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT		binary
		MD5:6D4DE3C5917BAA7B9B0C272974B2FD4E	SHA256:EA295E017CCCD7A740EE9B7BFED3CC7C0FBBE82C991C26C051F8B3F549AB2F14
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BEDB70E5.dat		image
		MD5:9BCD209C99152B6D0BB298549DC65B5A	SHA256:B972FACF72C0665E9CF639604AE18035918BC3637CE870C44C74DEEB778131DC
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\377C5B7F.dat		image
		MD5:6D7E8E8BCA662D8A0478135EA6D01E17	SHA256:19FDF683596E58655F78D160E8409802AF16054F609DE7C47EA6B622BC219472
5904	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\267CF9A2.dat		image
		MD5:E4AF7007C4B62F8BDF83491D83B00703	SHA256:44D0F04DE48202C9DF9863D3AAEB68A896B0F9FA01BE3CF120F3DFAE661CE4FB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

209

DNS requests

223

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4188	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6932	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5904	OUTLOOK.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5528	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1816	svchost.exe	HEAD	200	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68eda192-d0f3-46cf-b3be-1a828f951b21?P1=1722412916&P2=404&P3=2&P4=R5FvGiGJwV1u0FnuGIPQ51VxdGYizBqwE%2bRz6%2fnmmLrJthK4C%2f6%2fkocxa22frTUiHc%2bZLBN9PCsYumvluS%2f1OQ%3d%3d	unknown	—	—	whitelisted
1816	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68eda192-d0f3-46cf-b3be-1a828f951b21?P1=1722412916&P2=404&P3=2&P4=R5FvGiGJwV1u0FnuGIPQ51VxdGYizBqwE%2bRz6%2fnmmLrJthK4C%2f6%2fkocxa22frTUiHc%2bZLBN9PCsYumvluS%2f1OQ%3d%3d	unknown	—	—	whitelisted
1816	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68eda192-d0f3-46cf-b3be-1a828f951b21?P1=1722412916&P2=404&P3=2&P4=R5FvGiGJwV1u0FnuGIPQ51VxdGYizBqwE%2bRz6%2fnmmLrJthK4C%2f6%2fkocxa22frTUiHc%2bZLBN9PCsYumvluS%2f1OQ%3d%3d	unknown	—	—	whitelisted
1816	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68eda192-d0f3-46cf-b3be-1a828f951b21?P1=1722412916&P2=404&P3=2&P4=R5FvGiGJwV1u0FnuGIPQ51VxdGYizBqwE%2bRz6%2fnmmLrJthK4C%2f6%2fkocxa22frTUiHc%2bZLBN9PCsYumvluS%2f1OQ%3d%3d	unknown	—	—	whitelisted
1816	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/68eda192-d0f3-46cf-b3be-1a828f951b21?P1=1722412916&P2=404&P3=2&P4=R5FvGiGJwV1u0FnuGIPQ51VxdGYizBqwE%2bRz6%2fnmmLrJthK4C%2f6%2fkocxa22frTUiHc%2bZLBN9PCsYumvluS%2f1OQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3380	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6012	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4548	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.16.110.123:443	edgeservices.bing.com	Akamai International B.V.	DE	unknown
4204	svchost.exe	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5904	OUTLOOK.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5836	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.186.78	whitelisted
ecs.office.com	52.113.194.132	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
omex.cdn.office.net	23.53.40.48 23.53.40.82	whitelisted
self.events.data.microsoft.com	20.189.173.15 51.116.246.106	whitelisted
login.live.com	20.190.160.17 20.190.160.20 40.126.32.74 40.126.32.72 20.190.160.14 40.126.32.133 40.126.32.136 40.126.32.68 40.126.32.76 40.126.32.134 20.190.160.22	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
arc.msn.com	20.223.36.55 20.199.58.43 20.103.156.88	whitelisted
go.microsoft.com	23.35.238.131	whitelisted

Threats

PID	Process	Class	Message
1388	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
1388	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
1388	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2284	svchost.exe	Potentially Bad Traffic	ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
8184	AppLaunch.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
8184	AppLaunch.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

RV_ ACCIÓN DE TUTELA N° 50.001.40.88.002.2024.00002 00.eml

603D7CE480F561146FC46FA513323845

3FC52CC87BAC9E2575361CD9C8609EAA3BD98BBE

108B6135A5385A2DA973147C3796502738B155908E18F908ADAB8C3CC70C7514

49152:/DZZhz0G4EZYYvJpIb07ATxGjqL5c6WwxSqp3y6DWOYP5xjnA/PMgJW:r

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

Changes the autorun value in the registry

REMCOS has been detected

Drops the executable file immediately after the start

REMCOS has been detected (SURICATA)

REMCOS has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

Executable content was dropped or overwritten

Connects to unusual port

Contacting a server suspected of hosting an CnC

Checks for external IP

Writes files like Keylogger logs

There is functionality for taking screenshot (YARA)

INFO

Application launched itself

Checks supported languages

Reads the computer name

Reads Microsoft Office registry keys

Reads Environment values

The process uses the downloaded file

Checks proxy server information

Drops the executable file immediately after the start

Process checks computer location settings

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Disables trace logs

Reads the software policy settings

Create files in a temporary directory

Creates files or folders in the user directory

Creates files in the program directory

Reads security settings of Internet Explorer

Manual execution by a user

Malware configuration

Remcos

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events